Re: Updating PF to OpenBSD Release 4,1

From:

Jan Lentfer <Jan.Lentfer@xxxxxx>

Date:

Thu, 22 Jul 2010 22:03:36 +0200

Jan Lentfer schrieb:

I have made some progress on the PF work. pf.ko can be loaded and unloaded
(now even w/o panic, thanks to Aggelos) and I have updated pfctl to the
version that comes with OpenBSD 4.1. So you can enable PF, load rules and
view then and so on. All that works.
What doesn't work at all at the moment is the actual filtering. Packets
seem to pass through pf (evaluations counter is increased) but pf_test_tcp
seems to always return PF_PASS. I have added a panic("debug") where I think
the investigation should start. Aggelos has helped me a lot on this also
but since I will be away for 2 weeks I would like to make my current status
public. So anyone willing to look into it could do so. I might find the
time to work a little bit on it until friday. I will keep you informed if I
change anything on the tree before I leave.

I have made another major progress on this (again 2 thumbs up for
Aggelos for helping). I tested filtering (block and pass rules), nat and
port forwarding (rdr rules). All of that seems to work fine in my tests.
I have only tested the single features, not in combination, though.

What I have not tested at all until now it ALTQ and DF's fairq extension.

Also state keeping is working (and is now default, not due to my
decision but it became default in OBSD 4.1 afaict). So this is ready now
for "public" testing. I would appreciate very much if people with some
sophisticated setup or in-depth pf knowledge could test and give some
feedback.

Be aware that this still pukes out tons of debugging info (propably not
useful to anyone but me) on the sys console. I will remove those step by
step now.

Finally also be aware that my branch is still based on master from May
or so. I haven't rebased it yet. Will do that some time soon.